April 07, 2009

Update: The bill is available as of 4/8 on thomas.gov, but not yet on govtrack.us. I'm sure it will be available there shortly. The language noted in my Part 1 does not appear to have changed.

I'll get to part 3 eventually, but today the question is where the heck is the actual text? According to thomas.gov, this bill is designated S.773 and it was introduced on 4/1/2009. The site itself says that normally bills are sent to the Library of Congress within a day or two after being introduced. As of this afternoon, it still says: "The text of S.773 has not yet been received from GPO". It really would be nice to see the actual bill instead of the draft so we know for sure what we are talking about. It's not that large as far as bills go, unless they dramatically added more to the draft. Maybe GPO is just dealing with a huge number of bills, which with this Congress is kind of a scary thought.

Or maybe, the date it was introduced is a clue. Nah, we can't be that lucky.

April 04, 2009

There's a little buzz on the Internet about a bill submitted this week by Senators John Rockefeller and Olympia Snowe. It is being called the "Cybersecurity Act of 2009" and the actual bill is not available yet via govtrack.us or thomas.gov as of this morning. There is what is titled a "staff working draft" that may or may not be authoritative available here. Being the geek that I am, I read through it this morning to try to measure whether the claims that it would give the president unprecedented control to shut down the Internet and eavesdrop on Internet communications were true. My preliminary conclusion is that the answer is mostly yes, partly no because one section is being misinterpreted, and mostly that people are missing some other large implications of what is a far more broadly intrusive bill than people think. This and what follows assumes, of course, that the working draft is what is actually being introduced.

First off, the partly no. In referring to "Federal government and private sector owned critical infrastructure information systems and networks", Section 14 of the bill states:

(b) FUNCTIONS.—The Secretary of Commerce—

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

People are interpreting that to mean the data on the networks, but I see that as applying to the actual detailed architecture of the networks themselves. Since an applicable network is any that the president defines as "critical", and there's no standard to hold him to at this point, that theoretically means any network in the US, public or private. Now, is that an issue?

Clearly the broad scope of that is a problem. Some sort of standard should have to be met before a network is defined as "critical infrastructure". As it is written, a case could be made that any telco or ISP in the country is "critical infrastructure". A lot of commerce can be disrupted if any of the major telcos are attacked. Even your local telco is "critical" since they provide 911 service(not too mention the "last mile" to the Internet in many cases). The more interesting question to me is just how much does the government already know about the detailed architecture of telco and ISP networks? Does this provision essentially lay the telcos bare to the government in ways that could be used to compromise or shut them down? Could it be the back door to the privacy concerns that are, inaccurately I think, now being stated? And note this in Section 18:

The President—...

(5) shall direct the periodic mapping of Federal government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process;

Once again, how broadly that would apply makes a difference. I want to be skeptical here and not paranoid, but we would be wise to note that the first thing you would need to do to control a network and either filter it or shut it down would be to have a good map. How far would the federal government take that authority and do they really need that info handy? Do we really want them to have that info handy?

It will be interesting to see the telco/ISP response to this. It's one of those things where what they don't say may be as important as what they do say.

More: A bit more about network architecture. Over the years
there are a couple people I know who have set up their own home
firewall device or router. I was pleased that they were able to
experience the thrill of the geek, but they both misinterpreted their
accomplishment as meaning this whole network thing is not that
complicated at all. I hated to break it to them that what they had just
done was probably less than 1% of what it takes to build and lock down
a multi-node enterprise network. I know because I once led a team that
did it. It is a complicated task and there are tons of details that
must be attended to or it either doesn't work correctly, or it isn't
protected properly.

The reason I bring that up is that I used
to guard those network details pretty jealously. Outsiders got
information on a need to know basis. So did insiders for that matter.
Knowledge is power and detailed knowledge of a network is very helpful
for figuring out how to compromise its security. What that part of
section 14 noted above will do, if I'm reading it correctly, is put a
lot of what is now private network information into the hands of some
agency. Forget for the moment any worry about the government using that
info, what if they just lose it, or they get compromised? I
suppose they might set up a "Fort Knox" type repository, but that's for
money; we're just talking about some dumb info that only guards the
networks of our "critical infrastructure".

What could possibly
go wrong with the government acquiring all that info? Secrets never
leak and government employees are never bribed. Right?

The other part leading the discussion now is Section 18 and these parts in particular:

The President—...

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network;...

(6) may order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security;

There's an aspect here that seems to make sense: Of course the president should be able to shut down a federal government network that is compromised. I would think he had that authority already as chief executive, but I could be wrong about that. The same broad scope problems and lack of definition as above apply to these sections also. You can add in no definition of "cybersecurity emergency" or criteria for "in the interest of national security".

I find it hard to believe that the language as written in this draft will survive intact. The president, any president, needs some authority to be able to act in the face of growing threats on and to the Internet. I think it's safe to say that this is a badly written bill as is though, and is more suited to a dictatorship than a democracy. It deserves a lot of scrutiny.

I'll hit the other parts in another post. I have to get something done around the house today.